1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MS IE ADODB Stream SavetoFile

HTTP MS IE ADODB Stream SavetoFile

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to exploit a remote code execution vulnerability using the ADODB.Stream ActiveX Object.

Additional Information

The Microsoft ActiveX Data Objects 2.5 Library provides support for the ADODB.Stream Object. This object may be accessed by various methods from within ASP pages or through client-side scripting languages such as VBScript and JavaScript/Jscript. ADODB.Stream is generally used for receiving binary data from an external source and storing it in a file.

Microsoft Internet Explorer is prone to a security weakness that may permit malicious HTML documents to create or overwrite files on a victim file system when interpreted from the Local Zone (or other Security Zones with relaxed security restrictions, such as the Intranet Zone).

This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. In particular, it is possible to read data from an attacker's Web site by calling the Open method on the Microsoft.XMLHTTP Object. This data may then be stored on a target computer when the Write and SaveToFile methods are called on the recipient ADODB.Stream Object. In this manner, an HTML document that is interpreted in the context of a Security Zone with relaxed security restrictions may install a malicious file on the victim file system.

Exploitation of this weakness typically requires other vulnerabilities to redirect the browser into the Local Zone (or other appropriate Security Zone) then reference the malicious content once it has been written to the client file system. Examples of security issues that may be exploited in combination with this weakness are described in BIDs 8577, 9798, 9769, 10473, and 10472. Other attack vectors also exist, such as enticing a user to download an HTML document to their system then opening it with the Web browser. HTML email may also provide an attack vector for this weakness (in combination with other vulnerabilities). Cross-site scripting and HTML injection vulnerabilities in Web applications may also provide a surreptitious attack vector in unsuspecting clients.

This issue was publicized in August 2003 and was previously referenced in BID 8577 "Multiple Microsoft Internet Explorer Script Execution Vulnerabilities" but is now being assigned its own BID. There are numerous exploits and worms in the wild that depend on this issue, in tandem with other known vulnerabilities, to install malicious code on client computers.

PLEASE NOTE: In some instances where the attempt to overwrite the file may be encoded, this signature may fail to match.

Affected

  • Microsoft Internet Explorer 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1

Response

Workaround:

It is possible to work around this issue by setting the Kill Bit on the ADODB.Stream Object, for example:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX
Compatibility{00000566-0000-0010-8000-00AA006D2EA4}] "Compatibility
Flags"=dword:00000400

Further information about setting the kill bit can be found here:
How to Stop an ActiveX Control from Running in Internet Explorer

It is also reportedly possible to make the Local Zone/My Computer Zone visible from the Internet Options -> Security tab with the following registry edit:

[HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionInternet
SettingsZones0] "Flags"= dword:00000001

Once this Security Zone is visible, users may set their security settings to be more restrictive at their own discretion. For example, a user may use the security settings associated with the Restricted Security Zone.

These workarounds have not been tested by Symantec.

Solution:

Microsoft has released a knowledge base article KB870669 informing users on how to disable the ADODB.Stream object from Internet Explorer. Please see the referenced article for futher information.

Microsoft has also released a Critical Update Windows-KB870669-x86-ENU.exe. This update will disable the ADODB.Stream object.

Microsoft Internet Explorer 5.5:
Microsoft Patch Q269368
Microsoft Patch Q279328
Microsoft Patch scripten
Microsoft Patch ste51en
Microsoft Patch scripten.exe
Microsoft Patch scr55en
Microsoft Service Pack Service Pack 2 for Internet Explorer 5.5
Microsoft Patch Q318089
Microsoft Patch Q323759
Microsoft Patch q329414_mdacall_x86.exe
Microsoft Patch q328970
Microsoft Patch q324929
Microsoft Patch Q813489
Microsoft Patch Windows-KB870669-x86-ENU.exe

Microsoft Internet Explorer 5.5 SP1:
Microsoft Service Pack Service Pack 2 for Internet Explorer 5.5
Microsoft Hotfix Q299618
Microsoft Patch Q279328
Microsoft Patch q316059_IE 5.5SP1
Microsoft Patch Q316059
Microsoft Patch Q318089
Microsoft Patch Q319182 IE5.5 SP1
Microsoft Patch q321232
Microsoft Patch Q323759
Microsoft Patch q329414_mdacall_x86.exe
Microsoft Patch q328970
Microsoft Patch q324929
Microsoft Patch Q813489
Microsoft Patch Windows-KB870669-x86-ENU.exe

Microsoft Internet Explorer 5.5 SP2:
Microsoft Hotfix Q299618
Microsoft Patch Q306121
Microsoft Hotfix Q312461
Microsoft Hotfix Q313675
Microsoft Patch q316059_IE 5.5SP2
Microsoft Patch Q316059
Microsoft Patch Q318089
Microsoft Patch Q319182 IE5.5 SP2
Microsoft Patch q321232
Microsoft Patch Q323759
Microsoft Patch q329414_mdacall_x86.exe
Microsoft Patch q328970
Microsoft Patch q324929.exe
Microsoft Patch q324929
Microsoft Patch Q810847
Microsoft Patch Q813489
Microsoft Patch Q813489
Microsoft Patch Q818529
Microsoft Patch Cumulative Patch for Internet Explorer (822925)
Microsoft Patch Cumulative Patch for Internet Explorer (828750)
Microsoft Patch Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB824145)
Microsoft Patch Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB832894)
Microsoft Patch Windows-KB870669-x86-ENU.exe

Microsoft Internet Explorer 6.0:
Microsoft Patch Q306121
Microsoft Hotfix Q312461
Microsoft Hotfix Q313675
Microsoft Patch q316059_IE6
Microsoft Patch Q316059
Microsoft Patch Q318089
Microsoft Patch Q319182 IE6
Microsoft Patch q321232
Microsoft Patch q321232
Microsoft Patch Q323759
Microsoft Patch ie6sp1
Microsoft Patch q329414_mdacall_x86.exe
Microsoft Patch q328970
Microsoft Patch q324929.exe
Microsoft Patch q324929
Microsoft Patch Q813489
Microsoft Patch Q813489
Microsoft Patch Q818529
Microsoft Patch Cumulative Patch for Internet Explorer (822925)
Microsoft Patch Cumulative Patch for Internet Explorer (828750)
Microsoft Patch Cumulative Security Update for Internet Explorer 6 (KB824145)
Microsoft Patch Cumulative Security Update for Internet Explorer 6 (KB832894)
Microsoft Patch Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB832894)
Microsoft Patch Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB832894)
Microsoft Patch Windows-KB870669-x86-ENU.exe

Microsoft Internet Explorer 6.0 SP1:
Microsoft Patch q329414_mdacall_x86.exe
Microsoft Patch q328970
Microsoft Patch q324929.exe
Microsoft Patch q324929.exe
Microsoft Patch q324929
Microsoft Patch Q810847
Microsoft Hotfix Q813951
Microsoft Patch Q813489
Microsoft Patch Q813489
Microsoft Patch Q818529
Microsoft Patch Cumulative Patch for Internet Explorer (822925)
Microsoft Patch Cumulative Patch for Internet Explorer (822925)
Microsoft Patch Cumulative Patch for Internet Explorer (828750)
Microsoft Patch Cumulative Patch for Internet Explorer (828750)
Microsoft Patch Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB824145)
Microsoft Patch Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB824145)
Microsoft Patch Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB824145)
Microsoft Patch Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB824145)
Microsoft Patch Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB832894)
Microsoft Patch Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB832894)
Microsoft Patch Windows-KB870669-x86-ENU.exe

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube